What About Removable/Portable Storage?

My friend and professional colleague David Strom publishes an occasional newsletter called “Web Informant” that I’ve read with enjoyment and occasional flashes of insight for years now. His latest issue, “Web Informant #356, 20 January 2004: What’s on your iPod?” brings up a fascinating issue that infosec professionals had better start grappling with pronto—namely, given that small flash drives, MP3 players, iPods, and even PDAs are starting to include hundreds of MB to as many as 40GB of storage—how can an organization control what gets copied onto such devices (and therefore, becomes entirely capable of being carried out the door)?

Lest you think the premise absurd, it’s probably wise to point out that most music players, keychain drives (aka jump disks), and so forth are just as able to capture ordinary digital files as they are able to accommodate MP3, .wav, and other audio or multimedia formats. This raises the scary specter of any machine that lacks proper access controls and that includes an open USB port becoming an uncontrolled conduit for files leaving (or entering) computer within in organization’s infrastructure.

Ideally, the quick solution to this vexing problem is something like the following:

Include coverage of removable/portable storage in the organization’s security policy.

Make sure that adequate access controls are in place on USB-equipped machines to prevent sensitive files from being copied to removable/portable storage devices.

Educate users that such downloads are against company security policy; define and enforce appropriate disciplinary action for breach of policy.

The grim reality is a bit different, because while Items 1 and 3 are relatively “easy” the necessary access controls and security monitoring capabilities are not. In fact, it’s far from straightforward to enforce such controls, unless sensitive files can’t be downloaded to machines, or unless machines aren’t equipped with USB ports. Neither approach is terribly practical, nor is it in congruity with the actual configurations and capabilities of most desktop or laptop/notebook computers in use nowadays.

In short, this circumstance is going to take thought and effort to devise appropriate solutions, and it cost money and take additional effort to implement them. If anybody’s aware of available tools or technology to support centralized control over access to portable or removable storage, please e-mail me some particulars. I’ll be covering this interesting and potentially dangerous issue again once I’ve had more time to think and conduct some research. It’s an interesting and potentially important problem, though.